Friday, November 11, 2005

Per and I just received our new Qtek 8310 mobile devices today and got into trouble when we tried to add our own root certificate.

On Pocket devices and in Windows Mobile 2003 SE you just copy the certificate to the device and doubleclick it from File Explorer. But on the Qtek 8310 we got the error "Security permission was insufficient to update your device". In desperation, we also tried to use the SPAddcert.exe utility for Windows Mobile 2002 and 2003 Smartphone edition and received the message "The phone may be locked".

The problem were due to changes in the security model in Windows Mobile 5. Although it is very interesting/innovative in terms of mobile device security (Protecting from malicious software) it isn’t something we like when we want our new gadgets to work with WPA and Exchange Server ActiveSync.

Using Google intensively, I finally found the direction for solving the problem (the first version of this post) and using MSDN I found a better solution as follows -

First you need to get a copy of regeditSTG.exe (Apparently a HTC signed registry editor with an issuer CN that equals HTCCanary) zip it and move it to your device (You get an error if you copy the .exe directly). Now unzip it by double clicking it from File Explorer (on your device) and run the program. Then change the Grant Manager Policy registry key (Remember to note the old value) -

HKLM\Security\Policies\Policies\00001017 = 144

After setting the registry key above reboot your device, copy your root certificate to the File Explorer and click to install it (There’s no feedback that the operation was successful – check settings, security, certificates, root certificates for the existence of your certificate).

Before proceeding, we choose to set the registry setting back to the original values so the Phone was once again protected and finally Exchange ActiveSync and WPA worked like a charm ;-)

The solution apparently works on several different devices like i-Mate, C550, Qtek 8310 (Thats the only one we tested - don't ask about the others but do feel free to comment on those that works ;-) and probably most Windows Mobile 2005 Smartphone devices.

A utility called SDA_ApplicationUnlock.exe can also be found on the Internet but our testing shows us that it does the same as the Grant Manager Policy registry key. The problem with this application is that it only has a "Remove Lock" feature and no "Enable Lock" feature. Different posts/websites show the solution for other phones that include the use of SDA_ApplicationUnlock.exe utility; so if you run into problems you might want to try it.

Disclaimer - We don't know the copyrights on the mentioned utilities - so this posting is only meant for informational purposes and be sure to get correctly licensed versions of these!

Working with a full-price, carrier-independent i-mate SP5 (bought from smartphoneshop.nl), I was not able to install the certificate using the workaround recommended here (changing the value of 00001017 to 144). I got the "phone may be locked" message.

However, I WAS able to install it after running SDA_ApplicationUnlock.

This indicates to me that SDA_ApplicationUnlock does something other than the change mentioned.

On the positive side, I now have air sync with Exchange working!

On the less positive side, as aptly noted in the post above, there has now been a change made to my phone and I have no idea what it is! So if anyone has any ideas what changes are really made by SDA_ApplicationUnlock, I'd love to hear about it.

Hi, thanks for the tip. But I got mine working a bit differently.If I reboot the device after I made the reg change, it will be set back to the old restricted value. All I did was to make the reg change and run the certificate file and it imported sucessfully. I don't event need to use the HTC reg editor.I am doing this on Dopod 818 pro (aka HTC prophet)

Thanks for your comment. It seems to work differently depending on the phone and version of Windows Mobile. With AKU2 on the Qtek 8310 device I only need to set the Grant Manager registry key to 144 and then install the certificate (Without booting).

I had this issue with an o2 Atom when trying to install a custom root certificate. Resolved it by changing the value of 00001017 to 144 but the trick was NOT to reboot before installing the certificate. 9When I rebooted the device it seemed to reset the registry keys back to the original settings)

One of my users has an O2 XDA Atom - a very sweet WM5 phone indeed - to which we needed to add the root CA cert for a cert server on our local network in order to enable Active Sync 4.1 for exchange 2003 using HTTPS.I discovered that the RegeditSTG didn't work: i.e. the registry keys remained locked. Scratching around abit more, I found a link to Resco Explorer, a shareware Windows Mobile 2Kx package that bundles a signed registry viewer that DOES work with the Atom. http://www.resco.net/pocketpc/explorer/default.aspChanged Security keys as instructed and installed the certs for the CA and the Exch 2K3 server without a problem. Reset the keys and tested ActiveSync - all good!